Collecting customers’ personal information (PII data) is part and parcel of running a business, whether you’re making a sale, scheduling an appointment, or providing customer support.
As data-collecting technologies evolve, so have regulations designed to protect consumers’ personal information. While legal protections vary worldwide, most policies share a common thread—Data Subject Access Request, or DSAR.
What is DSAR, and what does it look like in practice? In this article, we’ll explore everything you need to know about the DSAR process, whether or not your business must comply, maximum time frames, team members most likely to be involved in resolving requests, and what the actual resolution process looks like.
Whether your company uses a dedicated data privacy platform or not, you still have a responsibility to comply with applicable laws—this guide can help.
What is DSAR?
Before we answer this article’s principal question—“What is DSAR?”—and explore what the DSAR process could look like for your business, let’s zoom out.
Numerous jurisdictions worldwide have enacted data privacy laws (we’ll discuss some of them in the next section). Many of these regulations stipulate consumers’ right of access or their legal entitlement to their data.
While each law provides consumers with different rights, most require that consumers can:
- Access the personal data that a company has collected from them
- Request that the data be securely sent to them
- Require companies to delete any personal information they’ve stored
- Opt-out of data sales to third-party vendors
As a result, most data privacy laws include requirements for Data Subject Rights (DSR) requests or Data Subject Access Requests (DSAR). DSR and DSAR are interchangeable terms, and they describe the formal process that consumers may use to exercise the rights above. But DSAR and DSR requirements are important to ensure companies are staying compliant.
Who Must Comply with DSAR Regulations?
When a consumer submits a data subject access request to a company within the jurisdiction of a data privacy law, the company is legally obligated to complete and respond to the request to the extent of the applicable law.
Does your company need to worry about the DSAR process? Review the following list of common data privacy notice laws to determine your business’s legal obligations for a DSAR response:
- CCPA/CPRA – The California Consumer Privacy Act of 2018 (CCPA) requires that businesses operating in California or providing services to California residents must honor consumers’ requests to access and delete their collected personal data and opt-out of third-party vendor access. The upcoming California Consumer Privacy Rights Act (CPRA) will expand the rights stipulated in the CCPA starting in 2023.
- CPA – The Colorado Privacy Act (CPA) defines consumers’ data access rights, businesses’ obligations to protect personal data, and legal recourse in the event of violations. The law goes into effect in July of 2023.
- UCPA – The Utah Consumer Privacy Act (UCPA) is nearly identical to the CCPA, but applies specifically to Utah residents, Utah businesses, and companies doing business there. This data protection act will take effect in December of 2023.
- VCDPA – The Virginia Consumer Data Protection Act (VCDPA)—which will take effect in January of 2023)—is essentially identical to the CCPA, and establishes various legal procedures for violations in the state of Virginia.
- GDPR – The General Data Protection Regulation (GDPR) law was established in 2018. GDPR compliance is extremely important as It remains one of the most nuanced, ironclad data privacy laws in the world, and stipulates legal obligations for both EU-based companies and businesses collecting information from EU residents.
How Much Time Do You Have to Respond to a DSAR?
The amount of time you have to complete and respond to a DSAR depends upon your jurisdiction—most laws require that businesses oblige and acknowledge requests within 30-45 days.
However, some jurisdictions allow companies to request extensions of up to 15 days for a DSAR response.
In order to meet legal compliance deadlines, it’s crucial that your business establish a system for logging and processing DSARs. If your company misses a deadline for completion, response, or extension, you could be subject to legal action.
Who Can Conduct a DSAR?
Since the data privacy laws listed above are relatively new, your company may not have established a standard operating procedure (SOP) for the DSAR process yet.
But, depending on individual employees’ access to certain data in your company’s network, not all team members may be authorized to manage requests. To complete a DSAR, an employee must be able to do the following:
- Access all of a consumer’s personal data
- Send or delete all of a consumer’s personal data
- Communicate directly with DSAR inquirers
- Liaise with third parties to whom the company has sold a consumer’s personal data
The last point above is arguably the most important—all of the regulations described in a previous section allow consumers to opt-out of data trading. So, once someone files an opt-out request, you must:
- Refrain from selling the consumer’s personal information
- Inform vendors who have bought or sold the consumer’s data to stop future sales
Depending on your company’s network structure, the number of employees in your IT department, or employee access to your data privacy platform, your company will need to take one of two approaches when creating a DSAR SOP:
- Extend appropriate permissions to all employees who will complete requests
- Delegate DSAR processing to employees with specific access
Handling a DSAR: A Step-By-Step Guide
We’ve covered quite a bit of ground about DSAR—but, what could the DSAR process actually look like for your business? Let’s explore four steps that could help structure your SOP for DSAR fulfillment.
Step 1: Log the Request
As discussed in a previous section, your business must accommodate requests within a legally specified time frame. Thus, creating a log of DSAR inquiries is crucial to successful compliant request management.
But, logging isn’t as simple as creating a spreadsheet—you’ll need to establish other infrastructure to handle DSAR, including:
- Consumer request channels, like:
- An online form
- A dedicated email address
- A phone extension or hotline
- Intake and logging SOPs
- A logging system that can track various metrics, including:
- The name of the consumer
- The date their request was received
- The deadline for processing their request or requesting an extension
- The employees assigned to each specific request
- All communication regarding the request
- The actual completion or delivery date
Building a log and implementing a tracking system will require significant front-end work that will help your business achieve and maintain DSAR compliance.
Step 2: Gather Relevant Customer Data
Whether a consumer requests a data review, correction, or deletion, you’ll have to collect their information before taking any further steps.
So, your SOP should stipulate:
- The various network locations employees should search for stored data
- Where employees should compile an individual’s information
- Which employees may access the stored data and the compilation document
Collecting the requested data and information could require different permissions based on your industry or the type of consumer submitting the DSAR. Let’s explore some examples:
- If a former client of a law firm files a request, only specific employees may have access to their information per their jurisdiction’s counsel-client confidentiality laws.
- If your company is transitioning from paper files to a fully electronic system, customer data could temporarily be stored both digitally and physically—and different employees may have access to each storage type.
- If you’re in the healthcare industry, your business and employees must also accommodate medical confidentiality laws—like HIPAA, for US-based companies.
Step 3: Delete Data, Correct Information, and/or Complete Opt-Out Requests
Once you gather a customer’s requested data, it’s time to complete their actual request—deleting their information, correcting it, sending it to them for review, or opting them out of third-party sales (or all of these).
It’s crucial that your logging system can accommodate the various workflows in the DSAR/DSR fulfillment process. As employees complete the requests, they should log:
- The date and time of task completion
- The authorization they requested and/or received to complete the task
- The locations of the data they accessed
- Internal and external communications required to address the request
While complying with the law and consumer requests are the most important parts of the DSAR process, logging the steps taken will help your company remain transparent in the event of future requests from the same consumer or a regulatory audit.
Step 4: Respond to the Consumer
Once you’ve completed the logging process, collected all relevant data, and completed the applicable tasks, it’s time to alert the consumer that their DSAR is complete and closed.
You can take one or all of the following steps to respond to the inquirer:
- Send a confirmation email
- Provide an SMS confirmation
- Call the consumer
- Send a notification by mail
But, it’s important to note that different regulations stipulate specific acknowledgment procedures—for example, the GDPR law requires that requests made electronically must be acknowledged electronically unless otherwise requested by the consumer.
Confidently Navigate the DSAR Process with DataGrail
Depending on your company’s jurisdiction, the consumers you engage with, and your existing data privacy safeguards, establishing a compliant DSAR process could be simple or require a significant front-end time investment.
However, as data privacy laws continue to take shape worldwide, it’s crucial that your business develops a DSAR solution to remain compliant with all relevant laws.
At DataGrail, we provide innovative data privacy solutions for modern businesses. Our all-in-one data security platform can help you stay compliant with international laws—but, it can also protect your company from data theft, security breaches, and unauthorized access to your network.
Whether your business has recently embraced digital technologies or you’ve been working electronically for decades, DataGrail can help revolutionize your data privacy operations.
Frequently Asked Questions (FAQs)
Who can submit a subject access request?
Any individual is able to submit a data subject request in any way that is clearly communicated to the organization responsible for protecting their personal data. This includes verbal requests, written, and electronic requests such as via email or social media. While processing DSAR information may be the responsibility of a data protection officer, any individual in an organization may receive a DSAR request and must comply in a timely manner accordingly.
Can a company refuse a subject access request?
Protecting sensitive data and relevant information related to personal data is the top priority. A company may therefore refuse DSAR fulfillment on the legal basis that a request is suspected to be unfounded, excessive, or mendacious.
Sources: National Law Review. Employee Data Subject Access Requests: Part 1 – where are we now and what questions remain? https://www.natlawreview.com/article/employee-data-subject-access-requests-part-1-where-are-we-now-and-what-questions
UK Information Commissioner’s Office. Right of Access. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
National Conference of State Legislatures. State Laws Related to Digital Privacy. https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx
GDPR.eu. What is GDPR, the EU’s New Data Protection Law? https://gdpr.eu/what-is-gdpr/?cn-reloaded=1